Skip to content
HoldField

SignedPacks

Controlled change, never silent

Approved improvements become signed, verified, shadow-tested, rollback-safe packs before any controlled use — never a silent or automatic production change.

Step 01

Proposal ready

A reviewed improvement proposal becomes eligible for pack creation — nothing is applied.

Inputs

  • Approved improvement proposal
  • Evidence references
  • Risk review
  • Shadow validation plan
  • Rollback requirement
  • Customer review status

Proof generated

  • Proposal-ready receipt
  • Source evidence list
  • Pack eligibility state

Where it appears in the app

  • Improvements
  • EvidenceWorks
  • Governance

AI Sense support

  • Checks for missing evidence
  • Flags a missing rollback plan
  • Flags an unsupported claim

Safety boundary

  • Proposal readiness does not apply a change.

Step 02

Pack built

A deterministic, hashable pack is built from the approved proposal — building is not installing.

Inputs

  • Manifest
  • Target station scope
  • Proposal reference
  • Risk review reference
  • Shadow validation requirements
  • Rollback plan reference
  • Customer summary reference
  • Artifact hash

Proof generated

  • Pack manifest hash
  • Artifact receipt
  • Build receipt
  • Omissions list

Where it appears in the app

  • SignedPacks
  • Improvement proposals
  • Governance

AI Sense support

  • Detects manifest gaps
  • Flags a mismatched proposal scope
  • Lists the omissions

Safety boundary

  • Building a pack does not install or activate it.

Step 03

Signature required

An unsigned pack is inspect-only and can never be activated.

Inputs

  • Authorized signer
  • Pack hash
  • Signing policy
  • Signer role
  • Expiration policy
  • Revocation check

Proof generated

  • Signature-required receipt
  • Signing policy reference

Where it appears in the app

  • SignedPacks
  • Governance
  • Trust

AI Sense support

  • Flags a missing signer authority
  • Flags an expired signing policy
  • Flags an unsigned pack

Safety boundary

  • An unsigned pack cannot be activated.

Step 04

Signed

The signing receipt records the public-key fingerprint and never the private key.

Inputs

  • Signature receipt
  • Signer reference
  • Public-key fingerprint
  • Signed pack hash
  • Timestamp

Proof generated

  • Signature receipt
  • Signer reference
  • Public-key fingerprint
  • Signed pack hash
  • Timestamp

Where it appears in the app

  • SignedPacks
  • Governance
  • Trust

AI Sense support

  • Checks a signer-role mismatch
  • Flags an expired key
  • Flags a missing receipt chain

Safety boundary

  • Signing records authorization; it does not command hardware.

Step 05

Verified

The pack is cryptographically verified before any controlled use — verification is not activation.

Inputs

  • Signature validity
  • Pack hash match
  • Signer-not-revoked check
  • Artifact-not-tampered check
  • Policy version
  • Scope-matches-proposal check

Proof generated

  • Verification receipt
  • Policy check result
  • Hash-chain status

Where it appears in the app

  • SignedPacks
  • Trust
  • Ops metrics

AI Sense support

  • Flags a verification failure
  • Flags a scope mismatch
  • Flags a revoked signer

Safety boundary

  • Verification does not mean production-active.

Step 06

Shadow gate passed

A behaviour-changing pack must pass shadow validation before any controlled use.

Inputs

  • Known-good sample result
  • Known-bad sample result
  • False-reject impact
  • Escape impact
  • Coverage regression
  • Drift stability
  • Sample-size minimum

Proof generated

  • Shadow validation receipt
  • Sample summary
  • Known-bad coverage result
  • Risk outcome

Where it appears in the app

  • Improvement validation
  • SignedPacks
  • EvidenceWorks

AI Sense support

  • Flags insufficient samples
  • Flags missing known-bad coverage
  • Flags a drift regression

Safety boundary

  • A shadow pass does not activate production behaviour.

Step 07

Installed inactive

A verified pack may be installed inactive for inspection and staging — it changes nothing live.

Inputs

  • Verified pack
  • Station scope
  • Artifact-present check
  • Last verification

Proof generated

  • Inactive installation receipt
  • Station scope receipt
  • Artifact-present receipt

Where it appears in the app

  • SignedPacks
  • Stations
  • Ops metrics

AI Sense support

  • Flags inactive-pack drift
  • Flags a station mismatch
  • Flags stale verification

Safety boundary

  • Installed inactive does not change live routing, model behaviour, or PLC behaviour.

Step 08

Activation requested

Activation is a controlled request routed to human approval — never self-approval.

Inputs

  • Verified signature
  • Shadow gate pass
  • Rollback plan
  • Station eligibility
  • Recovery-lock state
  • Unresolved safety blockers
  • Required approvals
  • Effective window

Proof generated

  • Activation request receipt
  • Blocker list
  • Approval requirements

Where it appears in the app

  • SignedPacks
  • Governance
  • Commissioning
  • Ops metrics

AI Sense support

  • Explains the blockers
  • Flags missing approvals
  • Flags unsafe timing

Safety boundary

  • An activation request does not apply the pack.

Step 09

Rollback ready

A signed rollback path must exist before any controlled use.

Inputs

  • Previous pack reference
  • Rollback trigger
  • Rollback owner
  • Rollback evidence requirement
  • Customer communication plan
  • Deadline
  • Receipt chain

Proof generated

  • Rollback readiness receipt
  • Previous version hash
  • Rollback path verification

Where it appears in the app

  • SignedPacks
  • Improvements
  • Trust

AI Sense support

  • Flags a missing rollback owner
  • Flags a stale rollback reference
  • Flags missing evidence

Safety boundary

  • Rollback readiness does not change the station.

Step 10

Customer summary generated

A customer-safe impact summary is generated for review — the summary does not approve itself.

Inputs

  • What changed
  • Why it was proposed
  • Evidence references
  • Shadow validation result
  • Risk review
  • Rollback plan
  • Known limitations
  • Omissions list
  • Approval status

Proof generated

  • Customer-safe packet
  • Known-limitations list
  • Omissions list
  • Review handoff receipt

Where it appears in the app

  • SignedPacks
  • SignalOps
  • Trust
  • Customer packets

AI Sense support

  • Removes unsupported claims
  • Highlights missing proof
  • Prepares a customer-safe summary

Safety boundary

  • The customer summary informs review; it does not approve itself.

AI Sense watches for gaps, never approves

AI Sense

One reading layer across every SignedPacks step

Observes evidence, finds missing proof, explains uncertainty, ranks human checks, and prepares handoffs — it never commands hardware.

Reads

  • Evidence bundles
  • Review events
  • QA decisions
  • Vision Twin drift
  • Commissioning blockers
  • Governance decisions
  • Station registry
  • Ops metrics

Produces

  • Findings
  • Evidence-gap warnings
  • Work-package hints
  • Commissioning questions
  • Support summaries

Never

  • No PLC writes
  • No force PASS
  • No recovery clear
  • No robot commands
  • No camera/light commands
  • No production approval
  • No evidence mutation
  • No QA decision mutation

AI Sense observes evidence and guides humans — it records nothing and changes nothing. It does not command a station, write a PLC, clear recovery, reset safety, force a pass, approve production, sign off, or mutate any review, QA decision, commissioning, governance, evidence, or runtime state. Every recommendation is a suggestion for a human to carry out; the PLC and safety circuit remain authoritative.

Customer-safe summary

Proof by reference, never raw data

The redacted summary carries a plain-English account of the change, references, the shadow result, risk, the rollback plan, and an explicit omissions list — so a customer can review it without ever seeing raw internals.

what_changed
plain-English summary of the change
why_proposed
the reviewed reason, by evidence reference
evidence_refs
capsule + receipt references only
shadow_result
sample summary + known-bad coverage outcome
risk_review
risk class + reviewer requirements
rollback_plan
owner, trigger, deadline (references only)
known_limitations
what the pack does not claim
approval_status
signed / verified / activation-requested state
omissions
explicit list of what was withheld

The summary never contains raw PLC coils or registers, private keys or signing secrets, authority tokens, local file paths, raw internal command payloads, operator personal identity.

Signed-in teams run this operationally in the HoldField app, under SignedPacks — where a pack is built, signed, verified, shadow-tested, installed inactive, and activation is requested for human approval, and where every action records authorization but never commands hardware, applies the pack, or approves itself. Open the workspace →